bisecting cause commit starting from 7e63420847ae5f1036e4f7c42f0b3282e73efbc2 building syzkaller on 99a9604483616177d7cd7d3e092ce42a3eaff74a testing commit 7e63420847ae5f1036e4f7c42f0b3282e73efbc2 with gcc (GCC) 8.1.0 kernel signature: 87594a786a15da5d7272e88044d238ae4cb1352bedfcae69b47052fdb8cc9485 run #0: crashed: possible deadlock in io_submit_one run #1: crashed: possible deadlock in io_submit_one run #2: crashed: possible deadlock in io_submit_one run #3: crashed: possible deadlock in io_submit_one run #4: crashed: possible deadlock in io_submit_one run #5: crashed: possible deadlock in io_submit_one run #6: crashed: possible deadlock in io_submit_one run #7: OK run #8: OK run #9: OK testing release v5.6 testing commit 7111951b8d4973bda27ff663f2cf18b663d15b48 with gcc (GCC) 8.1.0 kernel signature: 7c77a7df1a6b17145dba8ae105afb82b58e750f1d75c53b6e94222346a62f94b all runs: OK # git bisect start 7e63420847ae5f1036e4f7c42f0b3282e73efbc2 7111951b8d4973bda27ff663f2cf18b663d15b48 Bisecting: 5723 revisions left to test after this (roughly 13 steps) [98f3b56fa62a61f1d4d6a5fdd035f0b03be1e93f] kasan: add test for invalid size in memmove testing commit 98f3b56fa62a61f1d4d6a5fdd035f0b03be1e93f with gcc (GCC) 8.1.0 kernel signature: 1e2f1dc8adca842c921778797057352b927eaf77d82ec73e478c8466e51473ac all runs: OK # git bisect good 98f3b56fa62a61f1d4d6a5fdd035f0b03be1e93f Bisecting: 3039 revisions left to test after this (roughly 12 steps) [bc3b3f4bfbded031a11c4284106adddbfacd05bb] Merge tag 'pinctrl-v5.7-1' of git://git.kernel.org/pub/scm/linux/kernel/git/linusw/linux-pinctrl testing commit bc3b3f4bfbded031a11c4284106adddbfacd05bb with gcc (GCC) 8.1.0 kernel signature: fdde2b97d1b3fd50135393875b1133a5b79aa4cdb367f37e79032c3c0104a0dd run #0: crashed: possible deadlock in io_submit_one run #1: crashed: possible deadlock in io_submit_one run #2: crashed: possible deadlock in io_submit_one run #3: crashed: possible deadlock in io_submit_one run #4: crashed: possible deadlock in io_submit_one run #5: OK run #6: OK run #7: OK run #8: OK run #9: OK # git bisect bad bc3b3f4bfbded031a11c4284106adddbfacd05bb Bisecting: 1316 revisions left to test after this (roughly 10 steps) [9001b17698d86f842e2b13e0cafe8021d43209e9] Merge tag 'drm-intel-next-2020-03-13' of git://anongit.freedesktop.org/drm/drm-intel into drm-next testing commit 9001b17698d86f842e2b13e0cafe8021d43209e9 with gcc (GCC) 8.1.0 kernel signature: a4ce99845a854f075bc3bf0f771f2f22065d8bd6aab01b85fe4f7089b67b52ea all runs: OK # git bisect good 9001b17698d86f842e2b13e0cafe8021d43209e9 Bisecting: 662 revisions left to test after this (roughly 9 steps) [919dce24701f7b34681a6a1d3ef95c9f6c4fb1cc] Merge tag 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/rdma/rdma testing commit 919dce24701f7b34681a6a1d3ef95c9f6c4fb1cc with gcc (GCC) 8.1.0 kernel signature: 02726037e0ac601b997fe396a8ba220c5a4892fdaaf32dbb13e76e90d4eef537 all runs: OK # git bisect good 919dce24701f7b34681a6a1d3ef95c9f6c4fb1cc Bisecting: 376 revisions left to test after this (roughly 8 steps) [514ccc194971d0649e4e7ec8a9b3a6e33561d7bf] x86/kvm: fix a missing-prototypes "vmread_error" testing commit 514ccc194971d0649e4e7ec8a9b3a6e33561d7bf with gcc (GCC) 8.1.0 kernel signature: c929afb2dcb20d1329c1aac41b83ab0c4d21b9d90ba2859c7d5283232f854b85 all runs: OK # git bisect good 514ccc194971d0649e4e7ec8a9b3a6e33561d7bf Bisecting: 163 revisions left to test after this (roughly 8 steps) [7be97138e7276c71cc9ad1752dcb502d28f4400d] Merge tag 'xfs-5.7-merge-8' of git://git.kernel.org/pub/scm/fs/xfs/xfs-linux testing commit 7be97138e7276c71cc9ad1752dcb502d28f4400d with gcc (GCC) 8.1.0 kernel signature: 556ce0dc318eff46483fcb5feb44f1ac4332772be1bdac6fca5c22b31a92fe01 run #0: crashed: possible deadlock in io_submit_one run #1: crashed: possible deadlock in io_submit_one run #2: crashed: possible deadlock in io_submit_one run #3: crashed: possible deadlock in io_submit_one run #4: crashed: possible deadlock in io_submit_one run #5: OK run #6: OK run #7: OK run #8: OK run #9: OK # git bisect bad 7be97138e7276c71cc9ad1752dcb502d28f4400d Bisecting: 106 revisions left to test after this (roughly 7 steps) [d59f44d3e723c4f7143d910dfa333f2bdb587bbc] xfs: directory bestfree check should release buffers testing commit d59f44d3e723c4f7143d910dfa333f2bdb587bbc with gcc (GCC) 8.1.0 kernel signature: a2eb99c6e13f20da109190d0a528b10dc3a3e9e96f7af251f5c576cc7278f34d all runs: OK # git bisect good d59f44d3e723c4f7143d910dfa333f2bdb587bbc Bisecting: 53 revisions left to test after this (roughly 6 steps) [7ef482fa65513b18eed05a5c5f00413aad137810] helper for mount rootwards traversal testing commit 7ef482fa65513b18eed05a5c5f00413aad137810 with gcc (GCC) 8.1.0 kernel signature: 5f46d9a7f98de7404c60384b49f2496738cee261bbc9871a83a1c0c40c80863a all runs: OK # git bisect good 7ef482fa65513b18eed05a5c5f00413aad137810 Bisecting: 26 revisions left to test after this (roughly 5 steps) [4b871ce26ab2c758ea90b8dd659e4267aae9e943] Merged 'Infrastructure to allow fixing exec deadlocks' from Bernd Edlinger testing commit 4b871ce26ab2c758ea90b8dd659e4267aae9e943 with gcc (GCC) 8.1.0 kernel signature: ae68f94e453ac1d677e0bfffd76f6b099bb7b9305f3ac436168a879f56d21c39 run #0: crashed: possible deadlock in io_submit_one run #1: crashed: possible deadlock in io_submit_one run #2: crashed: possible deadlock in io_submit_one run #3: crashed: possible deadlock in io_submit_one run #4: crashed: possible deadlock in io_submit_one run #5: crashed: possible deadlock in io_submit_one run #6: crashed: possible deadlock in io_submit_one run #7: OK run #8: OK run #9: OK # git bisect bad 4b871ce26ab2c758ea90b8dd659e4267aae9e943 Bisecting: 13 revisions left to test after this (roughly 4 steps) [2ca7be7d55ad84fb0f7c2a23fb700a28fd76b19a] exec: Only compute current once in flush_old_exec testing commit 2ca7be7d55ad84fb0f7c2a23fb700a28fd76b19a with gcc (GCC) 8.1.0 kernel signature: d2a1aa7086baacacb667b7051b27aaa2bdd70b888de6836b20dd45d58543ee37 run #0: crashed: possible deadlock in io_submit_one run #1: crashed: possible deadlock in io_submit_one run #2: OK run #3: OK run #4: OK run #5: OK run #6: OK run #7: OK run #8: OK run #9: OK # git bisect bad 2ca7be7d55ad84fb0f7c2a23fb700a28fd76b19a Bisecting: 6 revisions left to test after this (roughly 3 steps) [7bc3e6e55acf065500a24621f3b313e7e5998acf] proc: Use a list of inodes to flush from proc testing commit 7bc3e6e55acf065500a24621f3b313e7e5998acf with gcc (GCC) 8.1.0 kernel signature: b8c734e2dc0f08ca9454cfe77264ad70cf8d67a52464a5a6fe72d92c73678ad4 run #0: crashed: possible deadlock in io_submit_one run #1: crashed: possible deadlock in io_submit_one run #2: crashed: possible deadlock in io_submit_one run #3: crashed: possible deadlock in io_submit_one run #4: crashed: possible deadlock in io_submit_one run #5: OK run #6: OK run #7: OK run #8: OK run #9: OK # git bisect bad 7bc3e6e55acf065500a24621f3b313e7e5998acf Bisecting: 2 revisions left to test after this (roughly 2 steps) [080f6276fccfb3923691e57c1b44a627eabd1a25] proc: In proc_prune_siblings_dcache cache an aquired super block testing commit 080f6276fccfb3923691e57c1b44a627eabd1a25 with gcc (GCC) 8.1.0 kernel signature: 9b3a9c353a280e45a85832fd5ccf63165e323b359bbc58b849623d5711334743 all runs: OK # git bisect good 080f6276fccfb3923691e57c1b44a627eabd1a25 Bisecting: 0 revisions left to test after this (roughly 1 step) [71448011ea2a1cd36d8f5cbdab0ed716c454d565] proc: Clear the pieces of proc_inode that proc_evict_inode cares about testing commit 71448011ea2a1cd36d8f5cbdab0ed716c454d565 with gcc (GCC) 8.1.0 kernel signature: 37192f03837cb6613b3f8c21489dd010d2a4f3ba881a841b4a414531b60bc956 all runs: OK # git bisect good 71448011ea2a1cd36d8f5cbdab0ed716c454d565 7bc3e6e55acf065500a24621f3b313e7e5998acf is the first bad commit commit 7bc3e6e55acf065500a24621f3b313e7e5998acf Author: Eric W. Biederman Date: Wed Feb 19 18:22:26 2020 -0600 proc: Use a list of inodes to flush from proc Rework the flushing of proc to use a list of directory inodes that need to be flushed. The list is kept on struct pid not on struct task_struct, as there is a fixed connection between proc inodes and pids but at least for the case of de_thread the pid of a task_struct changes. This removes the dependency on proc_mnt which allows for different mounts of proc having different mount options even in the same pid namespace and this allows for the removal of proc_mnt which will trivially the first mount of proc to honor it's mount options. This flushing remains an optimization. The functions pid_delete_dentry and pid_revalidate ensure that ordinary dcache management will not attempt to use dentries past the point their respective task has died. When unused the shrinker will eventually be able to remove these dentries. There is a case in de_thread where proc_flush_pid can be called early for a given pid. Which winds up being safe (if suboptimal) as this is just an optiimization. Only pid directories are put on the list as the other per pid files are children of those directories and d_invalidate on the directory will get them as well. So that the pid can be used during flushing it's reference count is taken in release_task and dropped in proc_flush_pid. Further the call of proc_flush_pid is moved after the tasklist_lock is released in release_task so that it is certain that the pid has already been unhashed when flushing it taking place. This removes a small race where a dentry could recreated. As struct pid is supposed to be small and I need a per pid lock I reuse the only lock that currently exists in struct pid the the wait_pidfd.lock. The net result is that this adds all of this functionality with just a little extra list management overhead and a single extra pointer in struct pid. v2: Initialize pid->inodes. I somehow failed to get that initialization into the initial version of the patch. A boot failure was reported by "kernel test robot ", and failure to initialize that pid->inodes matches all of the reported symptoms. Signed-off-by: Eric W. Biederman fs/proc/base.c | 111 ++++++++++++++++-------------------------------- fs/proc/inode.c | 2 +- fs/proc/internal.h | 1 + include/linux/pid.h | 1 + include/linux/proc_fs.h | 4 +- kernel/exit.c | 4 +- kernel/pid.c | 1 + 7 files changed, 45 insertions(+), 79 deletions(-) culprit signature: b8c734e2dc0f08ca9454cfe77264ad70cf8d67a52464a5a6fe72d92c73678ad4 parent signature: 37192f03837cb6613b3f8c21489dd010d2a4f3ba881a841b4a414531b60bc956 revisions tested: 15, total time: 4h4m42.255350447s (build: 1h35m41.068416999s, test: 2h27m46.321756458s) first bad commit: 7bc3e6e55acf065500a24621f3b313e7e5998acf proc: Use a list of inodes to flush from proc cc: ["adobriyan@gmail.com" "akpm@linux-foundation.org" "allison@lohutok.net" "areber@redhat.com" "aubrey.li@linux.intel.com" "avagin@gmail.com" "christian@brauner.io" "cyphar@cyphar.com" "ebiederm@xmission.com" "gregkh@linuxfoundation.org" "guro@fb.com" "joel@joelfernandes.org" "keescook@chromium.org" "linmiaohe@huawei.com" "linux-fsdevel@vger.kernel.org" "linux-kernel@vger.kernel.org" "mhocko@suse.com" "mingo@kernel.org" "oleg@redhat.com" "peterz@infradead.org" "sargun@sargun.me" "tglx@linutronix.de" "viro@zeniv.linux.org.uk"] crash: possible deadlock in io_submit_one ===================================================== WARNING: SOFTIRQ-safe -> SOFTIRQ-unsafe lock order detected 5.6.0-rc2-syzkaller #0 Not tainted ----------------------------------------------------- syz-executor.1/23827 [HC0[0]:SC0[0]:HE0:SE1] is trying to acquire: ffff888095e78748 (&pid->wait_pidfd){+.+.}, at: spin_lock include/linux/spinlock.h:338 [inline] ffff888095e78748 (&pid->wait_pidfd){+.+.}, at: aio_poll fs/aio.c:1767 [inline] ffff888095e78748 (&pid->wait_pidfd){+.+.}, at: __io_submit_one fs/aio.c:1841 [inline] ffff888095e78748 (&pid->wait_pidfd){+.+.}, at: io_submit_one+0x97f/0x2b00 fs/aio.c:1878 and this task is already holding: ffff88808c9d9018 (&(&ctx->ctx_lock)->rlock){..-.}, at: spin_lock_irq include/linux/spinlock.h:363 [inline] ffff88808c9d9018 (&(&ctx->ctx_lock)->rlock){..-.}, at: aio_poll fs/aio.c:1765 [inline] ffff88808c9d9018 (&(&ctx->ctx_lock)->rlock){..-.}, at: __io_submit_one fs/aio.c:1841 [inline] ffff88808c9d9018 (&(&ctx->ctx_lock)->rlock){..-.}, at: io_submit_one+0x93f/0x2b00 fs/aio.c:1878 which would create a new lock dependency: (&(&ctx->ctx_lock)->rlock){..-.} -> (&pid->wait_pidfd){+.+.} but this new dependency connects a SOFTIRQ-irq-safe lock: (&(&ctx->ctx_lock)->rlock){..-.} ... which became SOFTIRQ-irq-safe at: lock_acquire+0x19b/0x420 kernel/locking/lockdep.c:4484 __raw_spin_lock_irq include/linux/spinlock_api_smp.h:128 [inline] _raw_spin_lock_irq+0x5e/0x80 kernel/locking/spinlock.c:167 spin_lock_irq include/linux/spinlock.h:363 [inline] free_ioctx_users+0x2b/0x3e0 fs/aio.c:618 percpu_ref_put_many include/linux/percpu-refcount.h:309 [inline] percpu_ref_put include/linux/percpu-refcount.h:325 [inline] percpu_ref_call_confirm_rcu lib/percpu-refcount.c:130 [inline] percpu_ref_switch_to_atomic_rcu+0x387/0x450 lib/percpu-refcount.c:165 rcu_do_batch kernel/rcu/tree.c:2186 [inline] rcu_core+0x584/0x1290 kernel/rcu/tree.c:2410 __do_softirq+0x26e/0x9b2 kernel/softirq.c:292 invoke_softirq kernel/softirq.c:373 [inline] irq_exit+0x191/0x1d0 kernel/softirq.c:413 exiting_irq arch/x86/include/asm/apic.h:546 [inline] smp_apic_timer_interrupt+0x1a1/0x5f0 arch/x86/kernel/apic/apic.c:1146 apic_timer_interrupt+0xf/0x20 arch/x86/entry/entry_64.S:829 deref_stack_reg+0x1b/0xe0 arch/x86/kernel/unwind_orc.c:347 unwind_next_frame+0x1231/0x1b30 arch/x86/kernel/unwind_orc.c:548 arch_stack_walk+0x77/0xd0 arch/x86/kernel/stacktrace.c:25 stack_trace_save+0x85/0xb0 kernel/stacktrace.c:123 save_stack+0x19/0x80 mm/kasan/common.c:72 set_track mm/kasan/common.c:80 [inline] __kasan_kmalloc.constprop.17+0xc1/0xd0 mm/kasan/common.c:515 __do_kmalloc mm/slab.c:3656 [inline] __kmalloc+0x164/0x7b0 mm/slab.c:3665 kmalloc include/linux/slab.h:560 [inline] kzalloc include/linux/slab.h:669 [inline] tnode_alloc net/ipv4/fib_trie.c:336 [inline] tnode_new+0x182/0x230 net/ipv4/fib_trie.c:389 inflate net/ipv4/fib_trie.c:600 [inline] resize+0x6fa/0x1910 net/ipv4/fib_trie.c:873 trie_rebalance net/ipv4/fib_trie.c:1064 [inline] fib_insert_node net/ipv4/fib_trie.c:1108 [inline] fib_insert_alias+0x99d/0xf10 net/ipv4/fib_trie.c:1122 fib_table_insert+0x559/0x1980 net/ipv4/fib_trie.c:1333 fib_magic.isra.24+0x34a/0x500 net/ipv4/fib_frontend.c:1082 fib_add_ifaddr+0x155/0x460 net/ipv4/fib_frontend.c:1104 fib_inetaddr_event+0x139/0x1f9 net/ipv4/fib_frontend.c:1417 notifier_call_chain+0x86/0x150 kernel/notifier.c:83 __blocking_notifier_call_chain kernel/notifier.c:284 [inline] blocking_notifier_call_chain+0x66/0xa0 kernel/notifier.c:295 __inet_insert_ifa+0x75e/0xa20 net/ipv4/devinet.c:552 inet_rtm_newaddr+0xc93/0x1380 net/ipv4/devinet.c:951 rtnetlink_rcv_msg+0x346/0x8c0 net/core/rtnetlink.c:5438 netlink_rcv_skb+0x119/0x340 net/netlink/af_netlink.c:2477 netlink_unicast_kernel net/netlink/af_netlink.c:1302 [inline] netlink_unicast+0x434/0x630 net/netlink/af_netlink.c:1328 netlink_sendmsg+0x714/0xc60 net/netlink/af_netlink.c:1917 sock_sendmsg_nosec net/socket.c:652 [inline] sock_sendmsg+0xac/0xe0 net/socket.c:672 __sys_sendto+0x1d3/0x2b0 net/socket.c:1998 __do_compat_sys_socketcall net/compat.c:771 [inline] __se_compat_sys_socketcall net/compat.c:719 [inline] __ia32_compat_sys_socketcall+0x401/0x550 net/compat.c:719 do_syscall_32_irqs_on arch/x86/entry/common.c:337 [inline] do_fast_syscall_32+0x231/0xb27 arch/x86/entry/common.c:408 entry_SYSENTER_compat+0x70/0x7f arch/x86/entry/entry_64_compat.S:139 to a SOFTIRQ-irq-unsafe lock: (&pid->wait_pidfd){+.+.} ... which became SOFTIRQ-irq-unsafe at: ... lock_acquire+0x19b/0x420 kernel/locking/lockdep.c:4484 __raw_spin_lock include/linux/spinlock_api_smp.h:142 [inline] _raw_spin_lock+0x2a/0x40 kernel/locking/spinlock.c:151 spin_lock include/linux/spinlock.h:338 [inline] proc_pid_make_inode+0x1c0/0x390 fs/proc/base.c:1880 proc_pid_instantiate+0x40/0x140 fs/proc/base.c:3285 proc_pid_lookup+0x134/0x240 fs/proc/base.c:3320 proc_root_lookup+0x16/0x40 fs/proc/root.c:243 __lookup_slow+0x204/0x3d0 fs/namei.c:1757 lookup_slow fs/namei.c:1774 [inline] walk_component+0x684/0xef0 fs/namei.c:1915 link_path_walk.part.40+0x3c4/0xdc0 fs/namei.c:2238 link_path_walk fs/namei.c:2172 [inline] path_openat+0x194/0x2aa0 fs/namei.c:3606 do_filp_open+0x171/0x240 fs/namei.c:3637 do_sys_openat2+0x2b9/0x480 fs/open.c:1149 do_sys_open+0x85/0xd0 fs/open.c:1165 do_syscall_64+0xc6/0x5e0 arch/x86/entry/common.c:294 entry_SYSCALL_64_after_hwframe+0x49/0xbe other info that might help us debug this: Possible interrupt unsafe locking scenario: CPU0 CPU1 ---- ---- lock(&pid->wait_pidfd); local_irq_disable(); lock(&(&ctx->ctx_lock)->rlock); lock(&pid->wait_pidfd); lock(&(&ctx->ctx_lock)->rlock); *** DEADLOCK *** 1 lock held by syz-executor.1/23827: #0: ffff88808c9d9018 (&(&ctx->ctx_lock)->rlock){..-.}, at: spin_lock_irq include/linux/spinlock.h:363 [inline] #0: ffff88808c9d9018 (&(&ctx->ctx_lock)->rlock){..-.}, at: aio_poll fs/aio.c:1765 [inline] #0: ffff88808c9d9018 (&(&ctx->ctx_lock)->rlock){..-.}, at: __io_submit_one fs/aio.c:1841 [inline] #0: ffff88808c9d9018 (&(&ctx->ctx_lock)->rlock){..-.}, at: io_submit_one+0x93f/0x2b00 fs/aio.c:1878 the dependencies between SOFTIRQ-irq-safe lock and the holding lock: -> (&(&ctx->ctx_lock)->rlock){..-.} { IN-SOFTIRQ-W at: lock_acquire+0x19b/0x420 kernel/locking/lockdep.c:4484 __raw_spin_lock_irq include/linux/spinlock_api_smp.h:128 [inline] _raw_spin_lock_irq+0x5e/0x80 kernel/locking/spinlock.c:167 spin_lock_irq include/linux/spinlock.h:363 [inline] free_ioctx_users+0x2b/0x3e0 fs/aio.c:618 percpu_ref_put_many include/linux/percpu-refcount.h:309 [inline] percpu_ref_put include/linux/percpu-refcount.h:325 [inline] percpu_ref_call_confirm_rcu lib/percpu-refcount.c:130 [inline] percpu_ref_switch_to_atomic_rcu+0x387/0x450 lib/percpu-refcount.c:165 rcu_do_batch kernel/rcu/tree.c:2186 [inline] rcu_core+0x584/0x1290 kernel/rcu/tree.c:2410 __do_softirq+0x26e/0x9b2 kernel/softirq.c:292 invoke_softirq kernel/softirq.c:373 [inline] irq_exit+0x191/0x1d0 kernel/softirq.c:413 exiting_irq arch/x86/include/asm/apic.h:546 [inline] smp_apic_timer_interrupt+0x1a1/0x5f0 arch/x86/kernel/apic/apic.c:1146 apic_timer_interrupt+0xf/0x20 arch/x86/entry/entry_64.S:829 deref_stack_reg+0x1b/0xe0 arch/x86/kernel/unwind_orc.c:347 unwind_next_frame+0x1231/0x1b30 arch/x86/kernel/unwind_orc.c:548 arch_stack_walk+0x77/0xd0 arch/x86/kernel/stacktrace.c:25 stack_trace_save+0x85/0xb0 kernel/stacktrace.c:123 save_stack+0x19/0x80 mm/kasan/common.c:72 set_track mm/kasan/common.c:80 [inline] __kasan_kmalloc.constprop.17+0xc1/0xd0 mm/kasan/common.c:515 __do_kmalloc mm/slab.c:3656 [inline] __kmalloc+0x164/0x7b0 mm/slab.c:3665 kmalloc include/linux/slab.h:560 [inline] kzalloc include/linux/slab.h:669 [inline] tnode_alloc net/ipv4/fib_trie.c:336 [inline] tnode_new+0x182/0x230 net/ipv4/fib_trie.c:389 inflate net/ipv4/fib_trie.c:600 [inline] resize+0x6fa/0x1910 net/ipv4/fib_trie.c:873 trie_rebalance net/ipv4/fib_trie.c:1064 [inline] fib_insert_node net/ipv4/fib_trie.c:1108 [inline] fib_insert_alias+0x99d/0xf10 net/ipv4/fib_trie.c:1122 fib_table_insert+0x559/0x1980 net/ipv4/fib_trie.c:1333 fib_magic.isra.24+0x34a/0x500 net/ipv4/fib_frontend.c:1082 fib_add_ifaddr+0x155/0x460 net/ipv4/fib_frontend.c:1104 fib_inetaddr_event+0x139/0x1f9 net/ipv4/fib_frontend.c:1417 notifier_call_chain+0x86/0x150 kernel/notifier.c:83 __blocking_notifier_call_chain kernel/notifier.c:284 [inline] blocking_notifier_call_chain+0x66/0xa0 kernel/notifier.c:295 __inet_insert_ifa+0x75e/0xa20 net/ipv4/devinet.c:552 inet_rtm_newaddr+0xc93/0x1380 net/ipv4/devinet.c:951 rtnetlink_rcv_msg+0x346/0x8c0 net/core/rtnetlink.c:5438 netlink_rcv_skb+0x119/0x340 net/netlink/af_netlink.c:2477 netlink_unicast_kernel net/netlink/af_netlink.c:1302 [inline] netlink_unicast+0x434/0x630 net/netlink/af_netlink.c:1328 netlink_sendmsg+0x714/0xc60 net/netlink/af_netlink.c:1917 sock_sendmsg_nosec net/socket.c:652 [inline] sock_sendmsg+0xac/0xe0 net/socket.c:672 __sys_sendto+0x1d3/0x2b0 net/socket.c:1998 __do_compat_sys_socketcall net/compat.c:771 [inline] __se_compat_sys_socketcall net/compat.c:719 [inline] __ia32_compat_sys_socketcall+0x401/0x550 net/compat.c:719 do_syscall_32_irqs_on arch/x86/entry/common.c:337 [inline] do_fast_syscall_32+0x231/0xb27 arch/x86/entry/common.c:408 entry_SYSENTER_compat+0x70/0x7f arch/x86/entry/entry_64_compat.S:139 INITIAL USE at: lock_acquire+0x19b/0x420 kernel/locking/lockdep.c:4484 __raw_spin_lock_irq include/linux/spinlock_api_smp.h:128 [inline] _raw_spin_lock_irq+0x5e/0x80 kernel/locking/spinlock.c:167 spin_lock_irq include/linux/spinlock.h:363 [inline] free_ioctx_users+0x2b/0x3e0 fs/aio.c:618 percpu_ref_put_many include/linux/percpu-refcount.h:309 [inline] percpu_ref_put include/linux/percpu-refcount.h:325 [inline] percpu_ref_call_confirm_rcu lib/percpu-refcount.c:130 [inline] percpu_ref_switch_to_atomic_rcu+0x387/0x450 lib/percpu-refcount.c:165 rcu_do_batch kernel/rcu/tree.c:2186 [inline] rcu_core+0x584/0x1290 kernel/rcu/tree.c:2410 __do_softirq+0x26e/0x9b2 kernel/softirq.c:292 invoke_softirq kernel/softirq.c:373 [inline] irq_exit+0x191/0x1d0 kernel/softirq.c:413 exiting_irq arch/x86/include/asm/apic.h:546 [inline] smp_apic_timer_interrupt+0x1a1/0x5f0 arch/x86/kernel/apic/apic.c:1146 apic_timer_interrupt+0xf/0x20 arch/x86/entry/entry_64.S:829 deref_stack_reg+0x1b/0xe0 arch/x86/kernel/unwind_orc.c:347 unwind_next_frame+0x1231/0x1b30 arch/x86/kernel/unwind_orc.c:548 arch_stack_walk+0x77/0xd0 arch/x86/kernel/stacktrace.c:25 stack_trace_save+0x85/0xb0 kernel/stacktrace.c:123 save_stack+0x19/0x80 mm/kasan/common.c:72 set_track mm/kasan/common.c:80 [inline] __kasan_kmalloc.constprop.17+0xc1/0xd0 mm/kasan/common.c:515 __do_kmalloc mm/slab.c:3656 [inline] __kmalloc+0x164/0x7b0 mm/slab.c:3665 kmalloc include/linux/slab.h:560 [inline] kzalloc include/linux/slab.h:669 [inline] tnode_alloc net/ipv4/fib_trie.c:336 [inline] tnode_new+0x182/0x230 net/ipv4/fib_trie.c:389 inflate net/ipv4/fib_trie.c:600 [inline] resize+0x6fa/0x1910 net/ipv4/fib_trie.c:873 trie_rebalance net/ipv4/fib_trie.c:1064 [inline] fib_insert_node net/ipv4/fib_trie.c:1108 [inline] fib_insert_alias+0x99d/0xf10 net/ipv4/fib_trie.c:1122 fib_table_insert+0x559/0x1980 net/ipv4/fib_trie.c:1333 fib_magic.isra.24+0x34a/0x500 net/ipv4/fib_frontend.c:1082 fib_add_ifaddr+0x155/0x460 net/ipv4/fib_frontend.c:1104 fib_inetaddr_event+0x139/0x1f9 net/ipv4/fib_frontend.c:1417 notifier_call_chain+0x86/0x150 kernel/notifier.c:83 __blocking_notifier_call_chain kernel/notifier.c:284 [inline] blocking_notifier_call_chain+0x66/0xa0 kernel/notifier.c:295 __inet_insert_ifa+0x75e/0xa20 net/ipv4/devinet.c:552 inet_rtm_newaddr+0xc93/0x1380 net/ipv4/devinet.c:951 rtnetlink_rcv_msg+0x346/0x8c0 net/core/rtnetlink.c:5438 netlink_rcv_skb+0x119/0x340 net/netlink/af_netlink.c:2477 netlink_unicast_kernel net/netlink/af_netlink.c:1302 [inline] netlink_unicast+0x434/0x630 net/netlink/af_netlink.c:1328 netlink_sendmsg+0x714/0xc60 net/netlink/af_netlink.c:1917 sock_sendmsg_nosec net/socket.c:652 [inline] sock_sendmsg+0xac/0xe0 net/socket.c:672 __sys_sendto+0x1d3/0x2b0 net/socket.c:1998 __do_compat_sys_socketcall net/compat.c:771 [inline] __se_compat_sys_socketcall net/compat.c:719 [inline] __ia32_compat_sys_socketcall+0x401/0x550 net/compat.c:719 do_syscall_32_irqs_on arch/x86/entry/common.c:337 [inline] do_fast_syscall_32+0x231/0xb27 arch/x86/entry/common.c:408 entry_SYSENTER_compat+0x70/0x7f arch/x86/entry/entry_64_compat.S:139 } ... key at: [] __key.55053+0x0/0x40 ... acquired at: lock_acquire+0x19b/0x420 kernel/locking/lockdep.c:4484 __raw_spin_lock include/linux/spinlock_api_smp.h:142 [inline] _raw_spin_lock+0x2a/0x40 kernel/locking/spinlock.c:151 spin_lock include/linux/spinlock.h:338 [inline] aio_poll fs/aio.c:1767 [inline] __io_submit_one fs/aio.c:1841 [inline] io_submit_one+0x97f/0x2b00 fs/aio.c:1878 __do_compat_sys_io_submit fs/aio.c:1979 [inline] __se_compat_sys_io_submit fs/aio.c:1949 [inline] __ia32_compat_sys_io_submit+0x163/0x3a0 fs/aio.c:1949 do_syscall_32_irqs_on arch/x86/entry/common.c:337 [inline] do_fast_syscall_32+0x231/0xb27 arch/x86/entry/common.c:408 entry_SYSENTER_compat+0x70/0x7f arch/x86/entry/entry_64_compat.S:139 the dependencies between the lock to be acquired and SOFTIRQ-irq-unsafe lock: -> (&pid->wait_pidfd){+.+.} { HARDIRQ-ON-W at: lock_acquire+0x19b/0x420 kernel/locking/lockdep.c:4484 __raw_spin_lock include/linux/spinlock_api_smp.h:142 [inline] _raw_spin_lock+0x2a/0x40 kernel/locking/spinlock.c:151 spin_lock include/linux/spinlock.h:338 [inline] proc_pid_make_inode+0x1c0/0x390 fs/proc/base.c:1880 proc_pid_instantiate+0x40/0x140 fs/proc/base.c:3285 proc_pid_lookup+0x134/0x240 fs/proc/base.c:3320 proc_root_lookup+0x16/0x40 fs/proc/root.c:243 __lookup_slow+0x204/0x3d0 fs/namei.c:1757 lookup_slow fs/namei.c:1774 [inline] walk_component+0x684/0xef0 fs/namei.c:1915 link_path_walk.part.40+0x3c4/0xdc0 fs/namei.c:2238 link_path_walk fs/namei.c:2172 [inline] path_openat+0x194/0x2aa0 fs/namei.c:3606 do_filp_open+0x171/0x240 fs/namei.c:3637 do_sys_openat2+0x2b9/0x480 fs/open.c:1149 do_sys_open+0x85/0xd0 fs/open.c:1165 do_syscall_64+0xc6/0x5e0 arch/x86/entry/common.c:294 entry_SYSCALL_64_after_hwframe+0x49/0xbe SOFTIRQ-ON-W at: lock_acquire+0x19b/0x420 kernel/locking/lockdep.c:4484 __raw_spin_lock include/linux/spinlock_api_smp.h:142 [inline] _raw_spin_lock+0x2a/0x40 kernel/locking/spinlock.c:151 spin_lock include/linux/spinlock.h:338 [inline] proc_pid_make_inode+0x1c0/0x390 fs/proc/base.c:1880 proc_pid_instantiate+0x40/0x140 fs/proc/base.c:3285 proc_pid_lookup+0x134/0x240 fs/proc/base.c:3320 proc_root_lookup+0x16/0x40 fs/proc/root.c:243 __lookup_slow+0x204/0x3d0 fs/namei.c:1757 lookup_slow fs/namei.c:1774 [inline] walk_component+0x684/0xef0 fs/namei.c:1915 link_path_walk.part.40+0x3c4/0xdc0 fs/namei.c:2238 link_path_walk fs/namei.c:2172 [inline] path_openat+0x194/0x2aa0 fs/namei.c:3606 do_filp_open+0x171/0x240 fs/namei.c:3637 do_sys_openat2+0x2b9/0x480 fs/open.c:1149 do_sys_open+0x85/0xd0 fs/open.c:1165 do_syscall_64+0xc6/0x5e0 arch/x86/entry/common.c:294 entry_SYSCALL_64_after_hwframe+0x49/0xbe INITIAL USE at: lock_acquire+0x19b/0x420 kernel/locking/lockdep.c:4484 __raw_spin_lock_irqsave include/linux/spinlock_api_smp.h:110 [inline] _raw_spin_lock_irqsave+0x95/0xc0 kernel/locking/spinlock.c:159 __wake_up_common_lock+0xa8/0x120 kernel/sched/wait.c:122 do_notify_pidfd kernel/signal.c:1895 [inline] do_notify_parent+0x14c/0xbb0 kernel/signal.c:1922 exit_notify kernel/exit.c:668 [inline] do_exit+0x206f/0x2a10 kernel/exit.c:824 call_usermodehelper_exec_async+0x47f/0x680 kernel/umh.c:125 ret_from_fork+0x24/0x30 arch/x86/entry/entry_64.S:352 } ... key at: [] __key.53243+0x0/0x40 ... acquired at: lock_acquire+0x19b/0x420 kernel/locking/lockdep.c:4484 __raw_spin_lock include/linux/spinlock_api_smp.h:142 [inline] _raw_spin_lock+0x2a/0x40 kernel/locking/spinlock.c:151 spin_lock include/linux/spinlock.h:338 [inline] aio_poll fs/aio.c:1767 [inline] __io_submit_one fs/aio.c:1841 [inline] io_submit_one+0x97f/0x2b00 fs/aio.c:1878 __do_compat_sys_io_submit fs/aio.c:1979 [inline] __se_compat_sys_io_submit fs/aio.c:1949 [inline] __ia32_compat_sys_io_submit+0x163/0x3a0 fs/aio.c:1949 do_syscall_32_irqs_on arch/x86/entry/common.c:337 [inline] do_fast_syscall_32+0x231/0xb27 arch/x86/entry/common.c:408 entry_SYSENTER_compat+0x70/0x7f arch/x86/entry/entry_64_compat.S:139 stack backtrace: CPU: 1 PID: 23827 Comm: syz-executor.1 Not tainted 5.6.0-rc2-syzkaller #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 Call Trace: __dump_stack lib/dump_stack.c:77 [inline] dump_stack+0x128/0x182 lib/dump_stack.c:118 print_bad_irq_dependency kernel/locking/lockdep.c:2094 [inline] check_irq_usage.cold.62+0x57e/0x6d8 kernel/locking/lockdep.c:2292 check_prev_add kernel/locking/lockdep.c:2479 [inline] check_prevs_add kernel/locking/lockdep.c:2580 [inline] validate_chain kernel/locking/lockdep.c:2970 [inline] __lock_acquire+0x23f1/0x4370 kernel/locking/lockdep.c:3954 lock_acquire+0x19b/0x420 kernel/locking/lockdep.c:4484 __raw_spin_lock include/linux/spinlock_api_smp.h:142 [inline] _raw_spin_lock+0x2a/0x40 kernel/locking/spinlock.c:151 spin_lock include/linux/spinlock.h:338 [inline] aio_poll fs/aio.c:1767 [inline] __io_submit_one fs/aio.c:1841 [inline] io_submit_one+0x97f/0x2b00 fs/aio.c:1878 __do_compat_sys_io_submit fs/aio.c:1979 [inline] __se_compat_sys_io_submit fs/aio.c:1949 [inline] __ia32_compat_sys_io_submit+0x163/0x3a0 fs/aio.c:1949 do_syscall_32_irqs_on arch/x86/entry/common.c:337 [inline] do_fast_syscall_32+0x231/0xb27 arch/x86/entry/common.c:408 entry_SYSENTER_compat+0x70/0x7f arch/x86/entry/entry_64_compat.S:139